Krebs on Security

In-depth security news and investigation

In the wake of a scandal involving third-party companies leaking or selling precise, real-time location data on virtually all Americans who own a mobile phone, AT&T, Sprint and Verizon now say they are terminating location data sharing agreements with third parties.

At issue are companies known in the wireless industry as “location aggregators,” entities that manage requests for real-time customer location data for a variety of purposes, such as roadside assistance and emergency response. These aggregators are supposed to obtain customer consent before divulging such information, but several recent incidents show that this third-party trust model is fundamentally broken.

On May 10, 2018, The New York Timesbroke the story that a little-known data broker named Securus was selling local police forces around the country the ability to look up the precise location of any cell phone across all of the major U.S. mobile networks.

Then it emerged that Securus had been hacked, its database of hundreds of law enforcement officer usernames and passwords plundered. We also learned that Securus’ data was ultimately obtained from a company called 3Cinteractive, which in turn obtained its data through a California-based location tracking firm called LocationSmart.

On May 17, KrebsOnSecurity broke the news of research by Carnegie Mellon University PhD student Robert Xiao, who discovered that a LocationSmart try-before-you-buy opt-in demo of the company’s technology was wide open — allowing real-time lookups from anyone on anyone’s mobile device — without any sort of authentication, consent or authorization.

LocationSmart disabled its demo page shortly after that story. By that time, Sen. Ron Wyden (D-Ore.) had already sent letters to AT&T, Sprint, T-Mobile and Verizon, asking them to detail any agreements to share real-time customer location data with third-party data aggregation firms.

AT&T, T-Mobile and Verizon all said they had terminated data-sharing agreements with Securus. In a written response (PDF) to Sen. Wyden, Sprint declined to share any information about third-parties with which it may share customer location data, and it was the only one of the four carriers that didn’t say it was terminating any data-sharing agreements.

T-Mobile and Verizon each said they both share real-time customer data with two companies — LocationSmart and another firm called Zumigo, noting that these companies in turn provide services to a total of approximately 75 other customers.

Verizon emphasized that Zumigo — unlike LocationSmart — has never offered any kind of mobile location information demo service via its site. Nevertheless, Verizon said it had decided to terminate its current location aggregation arrangements with both LocationSmart and Zumigo.

“Verizon has notified these location aggregators that it intends to terminate their ability to access and use our customers’ location data as soon as possible,” wroteKaren Zacharia, Verizon’s chief privacy officer. “We recognize that location information can provide many pro-consumer benefits. But our review of our location aggregator program has led to a number of internal questions about how best to protect our customers’ data. We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.”

In its response (PDF), AT&T made no mention of any other company besides Securus. AT&T indicated it had no intention to stop sharing real-time location data with third-parties, stating that “without an aggregator, there would be no practical and efficient method to facilitate requests across different carriers.”

“Verizon deserves credit for taking quick action to protect its customers’ privacy and security,” Wyden said. “After my investigation and follow-up reports revealed that middlemen are selling Americans’ location to the highest bidder without their consent, or making it available on insecure web portals, Verizon did the responsible thing and promptly announced it was cutting these companies off. In contrast, AT&T, T-Mobile, and Sprint seem content to continuing to sell their customers’ private information to these shady middle men, Americans’ privacy be damned.”

Update, 5:20 p.m. ET: Shortly after Verizon’s letter became public, AT&T and Sprint have now said they, too, will start terminating agreements to share customer location data with third parties.

“Based on our current internal review, Sprint is beginning the process of terminating its current contracts with data aggregators to whom we provide location data,” the company said in an emailed statement. “This will take some time in order to unwind services to consumers, such as roadside assistance and fraud prevention services. Sprint previously suspended all data sharing with LocationSmart on May 25, 2018. We are taking this further step to ensure that any instances of unauthorized location data sharing for purposes not approved by Sprint can be identified and prevented if location data is shared inappropriately by a participating company.”

AT&T today also issued a statement: “Our top priority is to protect our customers’ information, and, to that end, we will be ending our work with aggregators for these services as soon as practical in a way that preserves important, potential lifesaving services like emergency roadside assistance.”

KrebsOnSecurity asked T-Mobile if the company planned to follow suit, and was referred to a tweet today from T-Mobile CEO John Legere, who wrote: “I’ve personally evaluated this issue & have pledged that T-Mobile will not sell customer location data to shady middlemen.” In a follow-up statement shared by T-Mobile, the company said, “We ended all transmission of customer data to Securus and we are terminating our location aggregator agreements.

Wyden’s letter asked the carriers to detail any arrangements they may have to validate that location aggregators are in fact gaining customer consent before divulging the information. Both Sprint and T-Mobile said location aggregators were contractually obligated to obtain customer consent before sharing the data, but they provided few details about any programs in place to review claims and evidence that an aggregator has obtained consent.

AT&T and Verizon each said they have processes for periodically auditing consent practices by the location aggregators, but that Securus’ unauthorized use of the data somehow flew under the radar.

AT&T noted that it began its relationship with LocationSmart in October 2012 (back when it was known by another name, “Locaid”). Under that agreement, LocationSmart’s customer 3Cinteractive would share location information with prison officials through prison telecommunications provider Securus, which operates a prison inmate calling service.

But AT&T said after Locaid was granted that access, Securus began abusing it to sell an unauthorized “on-demand service” that allowed police departments to learn the real-time location data of any customer of the four major providers.

“We now understand that, despite AT&T’s requirements to obtain customer consent, Securus did not in fact obtain customer consent before collecting customers’ location information for its on-demand service,” wrote Timothy P. McKone, executive vice president of federal relations at AT&T. “Instead, Securus evidently relied upon law enforcement’s representation that it had appropriate legal authority to obtain customer location data, such as a warrant, court order, or other authorizing document as a proxy for customer consent.”

McKone’s letter downplays the severity of the Securus incident, saying that the on-demand location requests “comprised a tiny fraction — less than two tenths of one percent — of the total requests Securus submitted for the approved inmate calling service. AT&T has no reason to believe that there are other instances of unauthorized access to AT&T customer location data.”

Blake Reid, an associate clinical professor at the University of Colorado School of Law, said the entire mobile location-sharing debacle shows the futility of transitive trust.

“The carriers basically have arrangements with these location aggregators that contractually say, ‘You agree not to use this access we provide you without getting customer consent’,” Reid said. “Then that aggregator has a relationship with another aggregator, and so on. So what we then have is this long chain of trust where no one has ever consented to the provision of the location information, and yet it ends up getting disclosed anyhow.”

This entry was posted on Tuesday, June 19th, 2018 at 2:03 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

38 comments

I’m shocked at VZW! Was thinking they’re the last ones I’d trust with my data. Watch your privacy settings with them, they seem to reset your options to “share everything” often. If the other guys are worse? Hoo boy…

Kinda wondering how lawsuits over this sort of stuff may or may not be covered by that whole “binding arbitration” thing companies seem to love to do so much- and the present Supreme Court seems content to let stand.

If you’re wondering if I’m feeling like this kind of stuff only gets responsible when it starts costing the responsible parties money, then you’d be correct.

Brian: Sounds like it was a publicity stunt by Verizon: “We will not enter into new location aggregation arrangements unless and until we are comfortable that we can adequately protect our customers’ location data through technological advancements and/or other practices.”
All they have to do is say they vetted the Aggregator.
Syniverse, a Tampa company is an aggregator, having come from GTE, and the back-end clearinghouse for cell providers world-wide.
They have a fraud detection service sold to banks, e.g., one use case: when a card is swiped at a gas station, the bank pulls up the customer cell number, provides it to Syniverse; Syniverse queries the carrier and provides location to bank, bank checks it with gas station address, and if same, authorizes transaction. Detects fake cards that are often tested at gas stations.
For Syniverse to sell the services, they have to have buy-in from all major carriers, and I understand there was a 50/50 revenue sharing arrangement. Carriers got 50% of amount charged to bank.
That industry is not falling apart – all Verizon said was they will vet their partners.
As always, appreciate all you do.

Far be it from me to defend the practices of Verizon or any of the other providers, but Verizon did say very clearly in their letter that they were terminating the data sharing agreements they currently have. Could they take up new ones at a moment’s notice? Sure. But bear in mind that Syniverse is probably one of the 75 downstream companies that are served by LocationSmart and/or Zumigo, both companies Verizon said it would end agreements with.

I’ve been very clear in previous stories that assurances by the mobile carriers are not enough, and that it is high time for Congress and/or the federal regulators to step in. Not holding my breath that this is going to happen anytime soon, but just so you know where I stand on this.

Well said and I agree.However, I think it is unfortunate that we have to turn to politics to force a company to be moral and ethical. I know that it is unrealistic to view it that way. Individual privacy is gone in the tech age. Facial recognition can tag were you are or have been. Government entities scan license plates to check for parking violations that then can be accessed by anyone by the freedom of information act. A quote from the original Jurassic Park movie fits with this type of technology. “your scientists were so preoccupied with whether or not they could that they didn’t stop to think if they should.”

I think it’s rather naive to think that companies have ever been moral and ethical without government regulation. Throughout the history of the US there have been groups who perform unethical acts who then get made illegal by regulation. If you don’t regulate them they’re just going to keep doing what they’re doing because it’s not illegal and they can make money doing it, which leads to more groups doing it and so on.

The data sharing agreement with the FBI goes something like this: “Give us access or we hit you with steady flood of subpoenas. Either your staff does the work at your expense or FBI staff does the work at FBI expense. ”

In the old days (1980’s), they would just place an full-time FBI agent with a desk at AT&T, then later the baby bells. At some point the on-site FBI agent was replaced with remote access.

I don’t mind sharing my location data. That’s not the issue. The issue is consent. I have my iPhone (Apple) and my browsers (Google and Mosaic) asking if they can share my location. I answer “Yes” or “No” depending on who’s asking.

But Verizon never asks me if it can share my location data. And I object to that. Especially since I have no control over what Verizon does with that data. A blanket “Yes” or “No” is not sufficient in Verizon’s case; I want to know who they’re sharing it with. Then I can decide.

Is it clear at this point if Verizon had something the consumer had to acknowledge that gave them permission to share that data in the first place?

Hopefully my practice of disabling WiFi and never allowing location related permissions unless actively using Google maps helps, but I’m disgusted with them for ever thinking it was OK to have such practices. I wonder if they still give away tower usage info even if you block GPS based location sharing in Apps.

I am grateful that Brian Krebs had a big hand in stopping the sale real-time location cell phone data to the worst offenders such as Securus and Locationsmart. He should be congratulated and recognized for his efforts. This is a step forward for safety and privacy.

I am skeptical after reading Sprint’s convoluted reply to Sen. Wyden and then suddenly making a reversal on that letter that third party cell phone location data sales will end soon.

I notice some the major cell phone carriers say they are “winding down” and “as soon as practical” this real time cell phone location data sales but at a rather slow pace. Could this slow place just allow real-time cell phone location data sales to be reincarnated in a different way?

More concerning is the fact that these real time cell phone location data sales are baked into these large cell phone carriers contracts.

ZDnet:

“Sprint hinted that its privacy policy allows the phone giant to share customers’ personal data, “including location information” with third-parties. Verizon, in its letter to Wyden’s office, also hinted that customers give their consent by agreeing to the company’s privacy policy.”

“…We also share de-identified or aggregate information for purposes such as to: …Conduct market or traffic flow analysis and reporting or produce or facilitate production by others of business and marketing reports to share with third parties…”

These contracts are confusing and sometimes spread over many parts of the cell phone companies website causing some customer to give up reading and just agree to these contract to get their cell phone service up and running.

AP Story:

“The cutoff won’t affect users’ ability to share locations directly with apps and other services. Rather, it deals with the practice of providing data to third parties with whom users have no direct contact… Popular commercial uses for the information include keeping tabs on packages, vehicles and employees; bank fraud prevention; and targeted marketing offers.”- AP

It would seem logical that if most subscriber location data for cell phones is constantly used by app developers and other “services” that these “apps and other services” would jump at the chance of taking Securus and Locationsmart’s business and re-branding it under a camouflage name.

For example “better roadside assistance,” “Accurate weather forecasts in your area,” “Avoid real-time traffic jams with Wyze” and “Keep your children safe of the new Find Your Child Now app.” type of ads.

Or, it location data could be built into necessary “telemetry” for the newest Android/iPhone/Microsoft mobile phone – such as the data leakage issue due to telemetry per Windows 10 or any combination of the above. As long as location data is being sold to third party “app makers” I would guess this data will find its way back to the hands of shady characters.

I would encourage Brian Krebs to continue to monitor this real-time cell phone location data still being sold to third party app makers and keep both the public and politicians informed.

This real time location tracking data for use in apps is not only a danger regarding warrantless searches but a physical danger to both American citizens and foreign visitors to America who use cell phones.

Well, it’s just one person/small family, but the Verizon person who responded to my inquiry about LS didn’t know what LocationSmart was and said, “I would suggest contacting the creator of this application, to see if this can be disabled.” Then i cancelled 4 of my 6 devices with them. Maybe i wasn’t the only one who complained.

Both Sprint and T-Mobile said location aggregators were contractually obligated to obtain customer consent before sharing the data, but they provided few details about any programs in place to review claims and evidence that an aggregator has obtained consent.

I’m all for cancelling these sorts of arrangements but have to wonder about unintended consequences. For instance, do any of these aggregators provide services to 911 operations to help track down emergency calls? My gut says “probably so.” And that’s the problem even with opt-in solutions. If my cell provider asks me if they can share my location data so 911 can find me, I’ll say yes and we’ll be right back where we started with hundreds of aggregators selling info for any purpose under the sun.

I disagree with those who suggest there ought to be a law requiring opt-in consent. Most people are too stupid or too lazy to care about security or their location data. They’ll click “Ok” to just about any prompt, without reading consent agreements or privacy policies. Opt-in means one extra click.

The mobile carriers are already covered by laws and regulations. Every new rule gets circumvented without consequence.

We do not need more government. We need BETTER government. We need the government to use the laws it already has regarding fraud to lock up executives and break up corporations.

Nothing really will change until executives get thrown in jail for this fraud on customers. Their “commitment to privacy” is a lie that deserves jail.

Similarly, corporations that present lies to customers ought to have assets seized and sold at auction, as proceeds of fraud. Enough of the lie that “safety and security is our top concern.” Enough of their hiding behind advertising campaigns and fine print.

As always I enjoy your in-depth coverage on many topics. I see what i think is s small discrepancy between your title and the acutaly content.

The title indicates AT&T, Sprint, Verizon have agreed to stop sharing data. (Implying maybe T-Mobile has not). But when reading the article it appears T-Mobile did agree, and Sprint is actually the hold-out.

Don — That story was a fast-developing one that changed over the course of several hours that day. Initially, only Verizon had said it would wind down current agreements to share/sell location data. By the end of the day, however, all of the providers had made a similar pledge. If you read the updates, that should be clear.

On the one hand, if I’m not a customer of the big four, it seems like they shouldn’t have info on me in their database to sell to third parties.

On the other hand, if I’m with a MVNO riding on the T-Mobile or Sprint network, and all that Securus needs is a phone number, then the networks would have at least that to sell them. But do they also keep/sell location history for MVNO customers?

Of all the businesses I have to deal with being in top management, AT&T is BY FAR the WORST. They are embarrassingly terrible. And I’m not referring to their cell phone service, I’m talking about backbone, networking business services. They’re worse than 9/11 and the Holocaust combined. That bad.